“Please wait, your document is loading.”

That’s the message victims saw right before their systems got hijacked. Behind that digital curtain, crypto miners and information stealers worked stealthily to infiltrate networks, exfiltrate sensitive data, and plant persistent malware.

In the latest ColorTokens Threat Advisory, we tracked how threat actors are not just breaching networks, but embedding themselves deeply, moving laterally, disabling defenses, and stealing data in ways that bypass even modern security controls.

This blog highlights the most urgent stories from the advisory and shares how to stop these attackers before they spread.

Cisco Firewalls and the VPN Entry Point That Refuses to Close

Cisco revealed two high-severity vulnerabilities, Common Vulnerabilities and Exposures (CVE)-2025-20333 and CVE-2025-20362, that let attackers remotely execute code and access Virtual Private Network (VPN) interfaces without authentication.

Scans as of late September showed nearly 50,000 Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) devices still exposed online. Many are sitting on the edge of corporate networks, silently waiting for someone to exploit them.

The U.S. government even issued an emergency directive, urging agencies to patch or disconnect vulnerable devices within 24 hours.

Perimeter security can only do so much. Once attackers are inside and without internal controls, they can move laterally, fast, and far.

Are You Breach Ready? Uncover hidden lateral attack risks in just 5 days. Get a free Breach Readiness Assessment with a visual roadmap of what to fix first.

From MFA to Full Compromise: SonicWall VPNs Fall to Akira Ransomware

SonicWall VPNs were supposed to be protected by One-Time Password (OTP) and Multi-Factor Authentication (MFA). But Akira ransomware affiliates bypassed all of that.

Security teams initially suspected a zero-day flaw, but it turns out attackers used credentials and stolen OTP seeds from past breaches. Even patched devices were compromised. Once inside, they moved laterally using tools like BloodHound, Impacket, and Directory Services Query (dsquery) targeting backup servers, extracting credentials, and disabling endpoint protection.

This is a textbook case of lateral movement, where attackers don’t just break in, they spread like wildfire. It underscores the need for microsegmentation, which limits the blast radius of an attack. With microsegmentation, even if an attacker slips in, they can’t roam freely.

Phishing and Malware Launchpads: SVG Files Used in Ransomware Campaigns

Forget shady executable (.exe) files or rogue PDFs. The latest phishing campaigns use Scalable Vector Graphics (SVG) files that double as HTML files, tricking users into launching full-scale malware campaigns.

One attack impersonated Ukraine’s national police, leading victims through a maze of loaders and fake Adobe windows before deploying PureMiner and Amatera Stealer, two payloads designed for crypto mining and massive data exfiltration.

The attackers used techniques like Dynamic Link Library (DLL) sideloading, fileless execution, and browser cookie theft, giving them long-term access and multiple revenue streams.

The phishing email looked official. The file looked harmless. The damage was anything but subtle, resulting in compromised systems and stolen data at scale.

Healthcare Takes Another Hit: 600,000+ Records Exposed

Two healthcare providers, Goshen Medical Center and Archer Health, exposed over 600,000 patient records in separate incidents. One was caused by an open, unsecured database. The other delayed breach notifications for nearly seven months.

Both breaches involved medical histories, Social Security numbers, and unencrypted personal data.

Healthcare remains a high-value target, and these attacks reveal a pattern of reactive security. Once attackers enter these environments, lack of internal controls means they can exfiltrate sensitive data without resistance.

Access Forrester Wave™ Report | Discover why ColorTokens was rated ‘Superior’ in OT, IoT, and Healthcare Security.

Botnet-as-a-Service and Ransomware: Your Router Could Be Mining for Someone Else

A new Loader-as-a-Service (LaaS) botnet is targeting Small Office/Home Office (SOHO) routers, Internet of Things (IoT) devices, and Linux servers, turning them into Mirai-style botnet nodes or crypto mining tools.

Attackers use a mix of default credentials, exposed admin panels, and multi-architecture malware to compromise everything from smart home gadgets to edge enterprise routers.

Logs from infected systems show automated payload delivery, device fingerprinting, and modular exploitation tactics, a clear sign of industrial-scale cybercrime.

This is not just an IoT problem. Many of these compromised devices sit inside or adjacent to corporate networks, acting as beachheads for lateral movement into critical infrastructure.

Actions to Take Now

Here’s how to reduce risk, contain threats, and prevent lateral movement across your environment:

1. Contain lateral movement with microsegmentation
   • Divide your network into isolated zones so attackers cannot move freely if they get in.
   • Implement agent-based or agentless segmentation based on your environment.
2. Patch known vulnerabilities quickly
   • Prioritize Cisco ASA/FTD and SonicWall VPN patching. Delay invites disaster.
   • Maintain a rolling patch schedule for high-risk CVEs.
3. Strengthen MFA and credential hygiene
   • Reset VPN credentials, even on patched devices.
   • Rotate OTP seeds and monitor for reuse.
4. Harden IoT and edge devices
   • Disable unnecessary remote management.
   • Block outbound traffic like Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), and unknown Hypertext Transfer Protocol (HTTP) connections from IoT networks.
5. Educate users on phishing 
   • Train employees to spot disguised file types like .svg, .chm, and .hta.
   • Reinforce caution with legal-looking emails or urgent government requests.
6. Monitor for unusual internal activity
   • Watch for internal Remote Desktop Protocol (RDP) logins, Server Message Block (SMB) session setups, and enumeration tools.
   • Look for signs of post-compromise activity, not just perimeter breaches.

Ready to Contain the Next Ransomware Attack?

Here’s what these attacks all have in common: the first breach isn’t what brings you down. It’s what happens next.

Attackers rely on flat networks, delayed patches, and weak internal visibility. That’s why microsegmentation is critical. Think of it as locking each room in your digital house so even if one door opens, the intruder goes no further.

If you want to stay a step ahead, start now. Get the full advisory, see the attack paths in detail, and equip your team with what matters.

You can also connect with our breach readiness expert and take the first step toward containment.